28ddeb124f
* basic user sync Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add group sync and some refactor Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * allow null authorization flow Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add UI Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make task monitored Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add missing dependency Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make authorization_flow required for most providers via API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more UI Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make task result better readable, exclude anonymous user Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add task UI Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add scheduled task for all sync Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make scim errors more readable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add mappings, migrate to mappings Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add mapping UI and more Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add scim docs to web Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start implementing membership Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate signals to tasks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate fully to tasks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * strip none keys, fix lint errors Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix things Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start adding tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix saml Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add scim schemas and validate against it Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improve error handling Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add group put support, add group tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * send correct application/scim+json headers Signed-off-by: Jens Langhammer <jens@goauthentik.io> * stop sync if no mappings are confiugred Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add test for task sync Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add membership tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use decorator for tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make tests better Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
284 lines
13 KiB
XML
284 lines
13 KiB
XML
<?xml version="1.0" encoding="US-ASCII"?>
|
|
<schema
|
|
targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
|
|
xmlns="http://www.w3.org/2001/XMLSchema"
|
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
|
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
|
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
|
|
elementFormDefault="unqualified"
|
|
attributeFormDefault="unqualified"
|
|
blockDefault="substitution"
|
|
version="2.0">
|
|
<import namespace="http://www.w3.org/2000/09/xmldsig#"
|
|
schemaLocation="xmldsig-core-schema.xsd"/>
|
|
<import namespace="http://www.w3.org/2001/04/xmlenc#"
|
|
schemaLocation="xenc-schema.xsd"/>
|
|
<annotation>
|
|
<documentation>
|
|
Document identifier: saml-schema-assertion-2.0
|
|
Location: http://docs.oasis-open.org/security/saml/v2.0/
|
|
Revision history:
|
|
V1.0 (November, 2002):
|
|
Initial Standard Schema.
|
|
V1.1 (September, 2003):
|
|
Updates within the same V1.0 namespace.
|
|
V2.0 (March, 2005):
|
|
New assertion schema for SAML V2.0 namespace.
|
|
</documentation>
|
|
</annotation>
|
|
<attributeGroup name="IDNameQualifiers">
|
|
<attribute name="NameQualifier" type="string" use="optional"/>
|
|
<attribute name="SPNameQualifier" type="string" use="optional"/>
|
|
</attributeGroup>
|
|
<element name="BaseID" type="saml:BaseIDAbstractType"/>
|
|
<complexType name="BaseIDAbstractType" abstract="true">
|
|
<attributeGroup ref="saml:IDNameQualifiers"/>
|
|
</complexType>
|
|
<element name="NameID" type="saml:NameIDType"/>
|
|
<complexType name="NameIDType">
|
|
<simpleContent>
|
|
<extension base="string">
|
|
<attributeGroup ref="saml:IDNameQualifiers"/>
|
|
<attribute name="Format" type="anyURI" use="optional"/>
|
|
<attribute name="SPProvidedID" type="string" use="optional"/>
|
|
</extension>
|
|
</simpleContent>
|
|
</complexType>
|
|
<complexType name="EncryptedElementType">
|
|
<sequence>
|
|
<element ref="xenc:EncryptedData"/>
|
|
<element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
</complexType>
|
|
<element name="EncryptedID" type="saml:EncryptedElementType"/>
|
|
<element name="Issuer" type="saml:NameIDType"/>
|
|
<element name="AssertionIDRef" type="NCName"/>
|
|
<element name="AssertionURIRef" type="anyURI"/>
|
|
<element name="Assertion" type="saml:AssertionType"/>
|
|
<complexType name="AssertionType">
|
|
<sequence>
|
|
<element ref="saml:Issuer"/>
|
|
<element ref="ds:Signature" minOccurs="0"/>
|
|
<element ref="saml:Subject" minOccurs="0"/>
|
|
<element ref="saml:Conditions" minOccurs="0"/>
|
|
<element ref="saml:Advice" minOccurs="0"/>
|
|
<choice minOccurs="0" maxOccurs="unbounded">
|
|
<element ref="saml:Statement"/>
|
|
<element ref="saml:AuthnStatement"/>
|
|
<element ref="saml:AuthzDecisionStatement"/>
|
|
<element ref="saml:AttributeStatement"/>
|
|
</choice>
|
|
</sequence>
|
|
<attribute name="Version" type="string" use="required"/>
|
|
<attribute name="ID" type="ID" use="required"/>
|
|
<attribute name="IssueInstant" type="dateTime" use="required"/>
|
|
</complexType>
|
|
<element name="Subject" type="saml:SubjectType"/>
|
|
<complexType name="SubjectType">
|
|
<choice>
|
|
<sequence>
|
|
<choice>
|
|
<element ref="saml:BaseID"/>
|
|
<element ref="saml:NameID"/>
|
|
<element ref="saml:EncryptedID"/>
|
|
</choice>
|
|
<element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
<element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
|
|
</choice>
|
|
</complexType>
|
|
<element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
|
|
<complexType name="SubjectConfirmationType">
|
|
<sequence>
|
|
<choice minOccurs="0">
|
|
<element ref="saml:BaseID"/>
|
|
<element ref="saml:NameID"/>
|
|
<element ref="saml:EncryptedID"/>
|
|
</choice>
|
|
<element ref="saml:SubjectConfirmationData" minOccurs="0"/>
|
|
</sequence>
|
|
<attribute name="Method" type="anyURI" use="required"/>
|
|
</complexType>
|
|
<element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
|
|
<complexType name="SubjectConfirmationDataType" mixed="true">
|
|
<complexContent>
|
|
<restriction base="anyType">
|
|
<sequence>
|
|
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
<attribute name="NotBefore" type="dateTime" use="optional"/>
|
|
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
|
|
<attribute name="Recipient" type="anyURI" use="optional"/>
|
|
<attribute name="InResponseTo" type="NCName" use="optional"/>
|
|
<attribute name="Address" type="string" use="optional"/>
|
|
<anyAttribute namespace="##other" processContents="lax"/>
|
|
</restriction>
|
|
</complexContent>
|
|
</complexType>
|
|
<complexType name="KeyInfoConfirmationDataType" mixed="false">
|
|
<complexContent>
|
|
<restriction base="saml:SubjectConfirmationDataType">
|
|
<sequence>
|
|
<element ref="ds:KeyInfo" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
</restriction>
|
|
</complexContent>
|
|
</complexType>
|
|
<element name="Conditions" type="saml:ConditionsType"/>
|
|
<complexType name="ConditionsType">
|
|
<choice minOccurs="0" maxOccurs="unbounded">
|
|
<element ref="saml:Condition"/>
|
|
<element ref="saml:AudienceRestriction"/>
|
|
<element ref="saml:OneTimeUse"/>
|
|
<element ref="saml:ProxyRestriction"/>
|
|
</choice>
|
|
<attribute name="NotBefore" type="dateTime" use="optional"/>
|
|
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
|
|
</complexType>
|
|
<element name="Condition" type="saml:ConditionAbstractType"/>
|
|
<complexType name="ConditionAbstractType" abstract="true"/>
|
|
<element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
|
|
<complexType name="AudienceRestrictionType">
|
|
<complexContent>
|
|
<extension base="saml:ConditionAbstractType">
|
|
<sequence>
|
|
<element ref="saml:Audience" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
</extension>
|
|
</complexContent>
|
|
</complexType>
|
|
<element name="Audience" type="anyURI"/>
|
|
<element name="OneTimeUse" type="saml:OneTimeUseType" />
|
|
<complexType name="OneTimeUseType">
|
|
<complexContent>
|
|
<extension base="saml:ConditionAbstractType"/>
|
|
</complexContent>
|
|
</complexType>
|
|
<element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
|
|
<complexType name="ProxyRestrictionType">
|
|
<complexContent>
|
|
<extension base="saml:ConditionAbstractType">
|
|
<sequence>
|
|
<element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
<attribute name="Count" type="nonNegativeInteger" use="optional"/>
|
|
</extension>
|
|
</complexContent>
|
|
</complexType>
|
|
<element name="Advice" type="saml:AdviceType"/>
|
|
<complexType name="AdviceType">
|
|
<choice minOccurs="0" maxOccurs="unbounded">
|
|
<element ref="saml:AssertionIDRef"/>
|
|
<element ref="saml:AssertionURIRef"/>
|
|
<element ref="saml:Assertion"/>
|
|
<element ref="saml:EncryptedAssertion"/>
|
|
<any namespace="##other" processContents="lax"/>
|
|
</choice>
|
|
</complexType>
|
|
<element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
|
|
<element name="Statement" type="saml:StatementAbstractType"/>
|
|
<complexType name="StatementAbstractType" abstract="true"/>
|
|
<element name="AuthnStatement" type="saml:AuthnStatementType"/>
|
|
<complexType name="AuthnStatementType">
|
|
<complexContent>
|
|
<extension base="saml:StatementAbstractType">
|
|
<sequence>
|
|
<element ref="saml:SubjectLocality" minOccurs="0"/>
|
|
<element ref="saml:AuthnContext"/>
|
|
</sequence>
|
|
<attribute name="AuthnInstant" type="dateTime" use="required"/>
|
|
<attribute name="SessionIndex" type="string" use="optional"/>
|
|
<attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
|
|
</extension>
|
|
</complexContent>
|
|
</complexType>
|
|
<element name="SubjectLocality" type="saml:SubjectLocalityType"/>
|
|
<complexType name="SubjectLocalityType">
|
|
<attribute name="Address" type="string" use="optional"/>
|
|
<attribute name="DNSName" type="string" use="optional"/>
|
|
</complexType>
|
|
<element name="AuthnContext" type="saml:AuthnContextType"/>
|
|
<complexType name="AuthnContextType">
|
|
<sequence>
|
|
<choice>
|
|
<sequence>
|
|
<element ref="saml:AuthnContextClassRef"/>
|
|
<choice minOccurs="0">
|
|
<element ref="saml:AuthnContextDecl"/>
|
|
<element ref="saml:AuthnContextDeclRef"/>
|
|
</choice>
|
|
</sequence>
|
|
<choice>
|
|
<element ref="saml:AuthnContextDecl"/>
|
|
<element ref="saml:AuthnContextDeclRef"/>
|
|
</choice>
|
|
</choice>
|
|
<element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
</complexType>
|
|
<element name="AuthnContextClassRef" type="anyURI"/>
|
|
<element name="AuthnContextDeclRef" type="anyURI"/>
|
|
<element name="AuthnContextDecl" type="anyType"/>
|
|
<element name="AuthenticatingAuthority" type="anyURI"/>
|
|
<element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
|
|
<complexType name="AuthzDecisionStatementType">
|
|
<complexContent>
|
|
<extension base="saml:StatementAbstractType">
|
|
<sequence>
|
|
<element ref="saml:Action" maxOccurs="unbounded"/>
|
|
<element ref="saml:Evidence" minOccurs="0"/>
|
|
</sequence>
|
|
<attribute name="Resource" type="anyURI" use="required"/>
|
|
<attribute name="Decision" type="saml:DecisionType" use="required"/>
|
|
</extension>
|
|
</complexContent>
|
|
</complexType>
|
|
<simpleType name="DecisionType">
|
|
<restriction base="string">
|
|
<enumeration value="Permit"/>
|
|
<enumeration value="Deny"/>
|
|
<enumeration value="Indeterminate"/>
|
|
</restriction>
|
|
</simpleType>
|
|
<element name="Action" type="saml:ActionType"/>
|
|
<complexType name="ActionType">
|
|
<simpleContent>
|
|
<extension base="string">
|
|
<attribute name="Namespace" type="anyURI" use="required"/>
|
|
</extension>
|
|
</simpleContent>
|
|
</complexType>
|
|
<element name="Evidence" type="saml:EvidenceType"/>
|
|
<complexType name="EvidenceType">
|
|
<choice maxOccurs="unbounded">
|
|
<element ref="saml:AssertionIDRef"/>
|
|
<element ref="saml:AssertionURIRef"/>
|
|
<element ref="saml:Assertion"/>
|
|
<element ref="saml:EncryptedAssertion"/>
|
|
</choice>
|
|
</complexType>
|
|
<element name="AttributeStatement" type="saml:AttributeStatementType"/>
|
|
<complexType name="AttributeStatementType">
|
|
<complexContent>
|
|
<extension base="saml:StatementAbstractType">
|
|
<choice maxOccurs="unbounded">
|
|
<element ref="saml:Attribute"/>
|
|
<element ref="saml:EncryptedAttribute"/>
|
|
</choice>
|
|
</extension>
|
|
</complexContent>
|
|
</complexType>
|
|
<element name="Attribute" type="saml:AttributeType"/>
|
|
<complexType name="AttributeType">
|
|
<sequence>
|
|
<element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
|
|
</sequence>
|
|
<attribute name="Name" type="string" use="required"/>
|
|
<attribute name="NameFormat" type="anyURI" use="optional"/>
|
|
<attribute name="FriendlyName" type="string" use="optional"/>
|
|
<anyAttribute namespace="##other" processContents="lax"/>
|
|
</complexType>
|
|
<element name="AttributeValue" type="anyType" nillable="true"/>
|
|
<element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
|
|
</schema>
|